Share This Page

A few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers. My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft. This post describes my experiences as a victim of ID theft, explains the growing problem of phone account hijacking, and suggests ways consumers and mobile phone carriers can help combat these scams.

My Experiences as a Victim of ID Theft

One evening my mobile phone stopped working mid call. After discovering that another phone on my account also had no signal, I called my mobile carrier on a landline phone. The customer service representative explained that my account had been updated to include new iPhones, and in the process the SIM cards in my Android phones had been deactivated. She assumed it was a mistake, and told me to take my phones to one of my mobile carrier’s retail stores.

The store replaced my SIM cards and got my phones working again. A store employee explained that a thief claiming to be me had gone into a phone store and “upgraded” my two phones to the most expensive iPhone models available and transferred my phone numbers to the new iPhones.

I called my mobile carrier’s fraud department and reported what happened. The representative agreed to remove the charges, but blamed the theft on me. When I asked how the store authenticated the thief, he told me that employees of stores owned by the mobile carrier would have asked for the account holder’s photo ID and the last four digits of their social security number, but if the theft occurred at another retailer, that might not have happened.

I logged in to my online account, changed the password, and added an extra security PIN recommended by the fraud department. I then logged on to the Federal Trade Commission’s identitytheft.gov website to report the theft and learn how to protect myself. Identitytheft.gov is a one-stop resource for identity theft victims. It includes step-by-step instructions and sample letters to guide victims through the recovery process. Following the Identitytheft.gov checklist, I placed a fraud alert and obtained a free credit report. I also prepared an identity theft complaint affidavit, which I later printed and took with me to my local police station when I filed a police report.

I called my mobile carrier back several times over the next few days to finish cleaning up this mess. One of my phones had ended up with the wrong phone number and the other one no longer had voice mail. A few days later I received an email about mobile phone insurance that the thief had apparently added to my account. After three trips to my carrier’s retail stores and many hours on the phone, my carrier eventually fixed all the problems and refunded the fraudulent charges.

I was interested in learning where the theft had occurred and how much of my personal information was in the hands of the thief. Section 609(e) of the Fair Credit Reporting Act requires that companies provide business records related to identity theft to victims within 30 days of receiving a written request. So, following the template provided by Identitytheft.gov, I wrote a letter to my carrier requesting all records related to the fraudulent upgrades on my account. After about two months my carrier sent me the records. I learned that the thief had used a fake ID with my name and her photo. She had acquired the iPhones at a retail store in Ohio, hundreds of miles from where I live, and charged them to my account on an installment plan. It appears she did not actually make use of either phone, suggesting her intention was to sell them for a quick profit. As far as I’m aware the thief has not been caught and could be targeting others with this crime.

The Growing Problem of Phone Account Hijacking

Records of identity thefts reported to the FTC provide some insight into how often thieves hijack a mobile phone account or open a new mobile phone account in a victim’s name. In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2% of all identity theft incidents reported to the FTC that month. By January 2016, that number had increased to 2,658 such incidents, representing 6.3% of all identity thefts reported to the FTC that month. Such thefts involved all four of the major mobile carriers.

Identity theft reports to the FTC likely represent only the tip of a much larger iceberg. According to data from the Identity Theft Supplement to the 2014 National Crime Victimization Survey conducted by the U.S. Department of Justice, less than 1% of identity theft victims reported the theft to the FTC.

Media reports on mobile phone account hijacking provide more evidence of this problem. A 2013 Forbes article reported that the government had seized over 5,500 phones from a Michigan operation that allegedly acquired them fraudulently from AT&T, Verizon, Best Buy, Radio Shack, and Apple stores and was shipping them overseas. The article reported that thieves used stolen identities to upgrade phones and add phone lines to existing accounts. In February 2015 more than 50 customers in the Denver area complained that Verizon had charged them for iPhone 6s, iPads, and new service plans they had not ordered. A North Carolina church received an AT&T bill for 17 iPhones purchased by an identity thief. In December 2015, four suspects were charged with using fake identity documents to purchase iPhones at AT&T stores in Kansas. In April 2016 three people arrested in a traffic stop in New Jersey were found to have fake IDs with the names of identity theft victims that they had used to fraudulently acquire iPhones. In May a man was arrested in Oregon for trying to buy four iPhones at a Verizon store using a fake ID. The man had previously been arrested twice on similar charges.

The Identitytheft.gov reports indicate that it is common for thieves to hijack a mobile phone account and also open other accounts in the victim’s name, days or weeks later. These are often mobile accounts with other carriers or credit cards for retail stores. In addition, some victims reported that identity thieves also changed the email addresses associated with their financial accounts.

Some victims did not have their mobile account hijacked, but instead received bills or calls from bill collectors about accounts with other carriers that identity thieves had opened with their names.

Most of the account hijackings likely occurred without the victims having provided information to fraudsters themselves. There are a number of reverse-lookup websites that will identify the carrier associated with any US phone number for free. Some will also identify the name of the subscriber and their city and state for free, and will sell the complete address for less than a dollar. There are also black market websites that sell dossiers that include social security numbers.

Other victims have also recounted falling for a phone scam in which the caller impersonated a representative from their mobile carrier. One victim reported that before their account was hijacked, a caller fraudulently claiming to be from their mobile carrier told them that their phone service would be down for 24 to 48 hours. Another victim reported that that a phony representative from their carrier’s fraud department called them and asked them to read back a code that had just been texted to their phone. When the victim complied, the fraudster was able to impersonate the victim and make unauthorized changes to their mobile account.

Perhaps most insidious, some thieves use their victim’s hijacked phone number to gain access to financial accounts that use two-factor authentication through text messages. This is known internationally as a “SIM swap” scam, or “SIM splitting.” The New York Division of Consumer Protection also warns about this scam on their website.

Thieves first purchase the victim’s bank account info or acquire it through a phishing attack. They may also look for publicly available information about the victim on social networks that can help them answer security questions. Then they impersonate the victim and call the victim’s mobile phone company to report that their phone has been damaged or stolen and convince the company to cancel the SIM card and activate a new SIM card with the victim’s phone number in the thieves’ phone. The thieves are then able to make bank account transfers, responding to phone calls and text messages directed to the victim’s phone number in order to complete the transactions. The victim’s phone stops working as soon as the SIM card is swapped. It usually takes them several hours or days to get their phone service restored, and longer to notice that their bank account has been emptied.

Industry experts I spoke with at a company that provides authentication services for mobile banking told me that SIM swap scams have become common in Europe and are increasing in the United States. In addition to obtaining information through phishing attacks, they told me that fraudsters often purchase victims’ information from black market sellers, or from rogue employees of financial institutions or mobile carriers. Unfortunately, there is little a consumer can do to prevent this.

What You Can Do

I asked all the major mobile carriers what consumers could do to protect themselves from a mobile account takeover. One of the most important steps you can take is to establish a password or PIN that is required before making changes to your mobile account. Each of the carriers offers this feature to their customers in a slightly different way.

AT&T offers a feature they refer to as “extra security.” Once activated, any interaction with AT&T, whether online, via phone, or in a retail store will require that you provide your passcode. You can use your AT&T online account or the myAT&T app on your mobile phone to turn on extra security. Note, that when you login online with your passcode, you may be presented with the option to not be asked for it again. Do not accept this option or you will disable extra security.

Sprint asks customers to set a PIN and security questions when they establish service with Sprint, so no additional steps are needed to use this feature.

T-Mobile allows their customers to establish a customer care password on their accounts. Once established, customers are required to provide this password when contacting T-Mobile by phone. To establish such a password, customers can call T-Mobile customer service or visit a T-Mobile retail store.

Verizon allows their customers to set an account PIN. Customers can do this by editing their profile in their online account, calling customer service, or visiting a Verizon retail store. This PIN provides additional security for telephone transactions and certain other transactions.

Using this extra password or PIN is a good idea and should help reduce your risk of mobile account takeovers. However, it does not offer complete protection, so make sure you remain alert for phishing attacks, protect your financial account information, and examine your mobile phone and credit card bills carefully every month for signs of fraud. If your phone stops receiving a signal and says “emergency calls only” or “no network,” even after you restart your phone, contact your mobile carrier to see whether your account has been hijacked.

What Mobile Carriers Should Do

The mobile carriers are in a better position than their customers to prevent identity theft through mobile account hijacking and fraudulent new accounts. In fact, many of them are obligated to comply with the Red Flags Rule, which, among other things, requires them to have a written identity theft prevention program.

Carriers should adopt a multi-level approach to authenticating both existing and new customers and require their own employees as well as third-party retailers to use it for all transactions.

Having a mobile phone account hijacked can waste hours of a victim’s time and cause them to miss important calls and messages. However, this crime is particularly problematic due to the growing use of text messages to mobile phones as part of authentication schemes for financial services and other accounts. The security of two-factor authentication schemes that use phones as one of the factors relies on the assumption that someone who steals your password has not also stolen your phone number. Thus, mobile carriers and third-party retailers need to be vigilant in their authentication practices to avoid putting their customers at risk of major financial loss and having email, social network, and other accounts compromised.

The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.

Comments

This also happened to me last year. I was lucky to have seen the email message announcing the change to my account. While Verizon's Fraud department backed out the cost of the phones, they left it up to me to report the loss to the local police. Please make the following rule changes: 1) Carrier/seller should bear the cost of any fraud, 2) Such cases should be reported to the FTC and state police. Only if the carrier's are responsible for the cost/risk will there be sufficient incentive to stop this sort of thing.

I have had my SIM card cloned atleast 4 times it’s happening through my local Verizon store once the victim comes in they sales rep is able to make a copy of the sim and the hacking begins , Its Sad that Verizon allows this to happen...

A PIN on the handset is a good idea and will help protect your phone if someone steals the actual device from you. However, it will not prevent the phone account hijacking I described in this blog post.

Why don't they *ALWAYS* send a phone or text message notification to the old phone, preferably a series of such messages starting 24 hours before the switchover? Why can't I instruct my phone company to do this?

That was great advice! A simple text or call to me today before disabling my SIM CARD and giving a new SIM to the THIEF who took over my # and then used text codes to take over my CC would have been such a simple step!!!!

That's why I do not own a mobile, only a simple cellphone in case of car emergencies. And that's why I blocked all mobile orders on my online store. All orders placed on mobile phones were fraudulent and payments never realized, but I also never shipped the goods. Screw the mobile "industry". It is their fault that fraud like this happens. Just like if a bank is not secure enough the account holder is not hel d responsible. Banks are full of cashiers who are outright thieves and frauds and try not to give cash by sweet talk to elderly but even I in my 30s was supposed to become a victim. I reported the and they got fired. One did not get fired and I reported to FBI and then the bank had a lot of problems.

Great point. When someone is particularly careless I have been known to approach them afterwards and (with a little prior discussion to set the stage) recite all of their personal info, explaining that there are criminals who make a living out of "shoulder surfing" and that if I have the capacity to immediately memorize all of their information upon simply hearing it once, others do as well. (In fact, there are techniques that can be learned for doing this, although some come by the skill naturally.) The funniest reaction I've had was the wife of a particularly loud mouthed gentleman who immediately lit into him saying, "what have I been telling you every time you open your big mouth?"

My solution is to refuse to provide such information verbally. I either require that we step into a private area, or that I write the information down on a slip of paper WHICH I KEEP and destroy later. However, if they are going to simply repeat the information over the phone so that someone can overhear them, I either get a manager to solve the issue, or I put a halt to the transaction until I can make other arrangements.

There are other forms of ID theft that can have unfortunate results. Who's the ombudsman to report vulnerabilities to?
If I suspect that the "red flags rule" program for a particular business may be flawed, or perhaps was not followed, who would I report it to?

I have a friend who works for Boost mobile,i gave her money to purchase a phone and to turn the service on for me i told her to add a pin number,we had got into a fight so because she new all my imformation and my pin number she turned my service off and changed my pin number after a week she turned my phone back on but now it says my pin has been changed how can i find out. How to retreave my pin

Requiring a PIN or password at the phone store in this case may have helped to prevent identity fraud, even if the identity thief presents a fake ID at the store. But the use of a PIN or password as a shared secret between the customer and the mobile service provider has known weaknesses: it can be stolen by identity thieves and used to impersonate someone else. That’s one reason why many service providers are using one-time codes sent to their customer’s mobile phones as a second layer of authentication. Although not foolproof, it’s better than relying only on a static PIN or password.

But what if the mobile phone provider instead had sent a “push notification” to the author’s phone? The notification message might have said something like “Someone, perhaps you, is attempting to update your account at a phone store. If this is you, please enter a PIN (or swipe your finger) to authorize this transaction.” The author, upon receiving this notification on her phone, would have realized immediately that something was wrong, and the fraud would not have succeeded. But if the transaction were legitimate, the mobile phone customer could authorize the transaction by providing the correct PIN, or perhaps swiping a finger. The difference here is that the identity thief would not only need to know the correct PIN, but would also need to have the phone as well. The PIN or biometric would never leave the phone, but would instead be used to unlock a “key” to authorize the transaction. Preventing fraud by demonstrating possession of one of the phones on the account, in addition to knowledge of a PIN, is a stronger method of preventing fraud.

In any case, mobile carriers would need to implement fraud prevention options such as this, and mobile phone customers would need to know about these options, and be motivated to activate them.

At least three things seem to be needed: (1) a set of “best practices” for preventing various kinds of identity theft that some entity acting in the public interest (the FTC?) is distributing throughout the business community; (2) incentives to motivate the business community to implement these practices; and (3) awareness and education of individuals about these practices. Could the FTC take a more aggressive role in making these things happen?

This happened to me in 2012. I'm glad to see that more attention has been given to this type of issue. Someone was successful in hijacking my account to purchase 5 iPhones. I had the passcode and all available alerts setup on my account. It was my account activity alert that informed me of the activity. I received an email thanking me for purchasing a new phone. In 2012, the cell phone company and law enforcement were very difficult to work with and were not interested at all!!! They acted as if I had done something wrong! I had my account locked down as much as it could be. This fraud was committed in person. There were all sort of red flags that the cell phone company ignored: 1) all of the transactions were uncharacteristic of my 20 year old account; 2) supposedly, the individuals didn't even know my full cell number; 3) the majority of the fraudulent transaction was completed by a member of the opposite sex, when that sex is not listed on my account; 4) in 20 years, I've never purchased an iPhone so why would I all of a sudden buy 5 of them; 5) my account was blocked from premium services, while the 5 fraudulent iPhones were purchased all with premium services; 6) etc.

There were too many mistakes that lead me to believe that the hijacking of my cell phone account was an internal scam. How do we prevent those??? They moved my number to a secondary account, associated with my account and made one of the stolen iPhones the primary. They removed my address and left the address blank. They removed the majority of my alerts. I was fortunate that they missed 2 alerts!!

What do you do if your house burns down or what do you do if your car quits you have to have a back-up plan. Maybe. install a landline. People need to be aware of the possibilities of this stuff happening thank you for the article.

While getting a landline sounds like a good plan, I just had my landline illegally ported by someone who is now trying to use my identity to set up credit cards in my name, with my ported phone number, but to an address that is not mine. I have no idea how my landline was ported, but pretty much nothing is safe from those who are bent on earning their money the fraudulent way. I caught it at 6 am on the day it was being ported and was able to block their access to all of my financial accounts and get a 7 year fraud alert placed on my account with all three credit reporting companies. Who knows how much of my personal data they have and how or when they will choose to try and use it again. Oh, the blessings and wonders of our technological advances.

If phone carriers sold data and cell service like gas stations sell gas, instead of by monthly contract, and also didn't sell phones or at least required phones to be bought separate from service, maybe there wouldn't be such ready picking for scammers.

Also, the fact that the big four loose so much money to scams and still make massive profits should tells us something about their obscenely high profit margins.

I have not had a 'contract' with a cell phone company for many years. When my last contract expired I stayed with the same major carrier but switched to a prepaid month to month. The rates are actually lower and the only inconvenience is remembering to re-up my phone every month which is easily done with a simple call. I also do not take up the option of having them store my debit card info...I re-enter it every time. I purchased an unlocked phone via a large on-line retailer (starts with A) so should I opt to go to a different carrier I have no need of purchasing a new phone.
There are good options out there to protect yourself...you just have to think outside the box and not be swayed by carriers telling you that you need a long term contract and a phone locked in to their service.

I very much enjoyed reading this article. Do you mind if I post to the Department of the Navy Chief Information Officer website and possibly use the article in our IT publication called CHIPS? I will make sure the source and author are cited.

Dear Ms. Cranor: I wish you had also named the carrier in your informative blog post. I don't understand why the carrier deserves to be shielded from exposure, especially since following security protocols appears to be "optional" depending on what store a crook happens to walk into and since the customer service representative had the temerity to blame you! How is any customer supposed to control whether a store rep follows required procedures when vetting a request to change phones? And it certainly doesn't take much effort to get the last four digits of a SS#, let alone somebody else's phone #.

The other thing implied, but left unsaid, is that humans are by far the weakest link in a typical security chain. I am always stunned at how easy it is to talk a representative into giving up the keys to an account kingdom. All it takes is a friendly voice, a polite manner, or an "honest" face. Unfortunately, enforcing security protocols and providing excellent customer service are often seen by electronic device/service providers as mutually exclusive, when they're not. No wonder honest people are constantly at a disadvantage and the crooks get to laugh all the way to (someone else's) bank.

Why don't carriers require the account holder to have his/her phone present to effect change/upgrade? If person claims phone is lost or stolen, why don't they call phone to confirm? There seems to be simple fixes. -Tom

I agree, this seems like a very easy thing to do, and should be a requirement. Send an SMS saying the phone is being switched off, and then call the number. Wait 10 minutes for someone to respond. The real owners may not always respond, but even just the existence of the checks would greatly increase the risk for the thieves and act as a substantial deterrent.

I don't want to seem insensitive, but I had a number transferred off my account by a family member, transferring my number to a in-laws account without my permission. The carrier (metropcs) defaults all passwords to the account holders date of birth. The carrier was completely unresponsive, to the point that they would not even provide me the store this happened at to send the cops to investigate. Even worse I CONTACTED THIS AGENCY, THE FTC, AND WAS TOLD THIS IS NOT, I REPEAT NOT IDENTITY THEFT! Hopefully with this personal experience you realise the gravity of the situation and use your agencies powers to enforce prosecution of the types of crimes that you personally identify with that your agency currently denies the existence of. Sincerely-good luck and please use your position to influence change. Thanks

This happened to me just this week. I got one notice by email and two notices by snail mail that my account info had been changed. Guess what were the very first things the identity thief changed? The email address for notifications, the telephone number for notifications, the username, the PIN number, they probably also changed the address. I am heading to a carrier store tomorrow to report the fraud/identity theft.

Photos. Take photos of your customers and scan their photo ID cards for changes. Makes it difficult to use a false photo ID and the store has the picture of the person the police need to look for. Then if I show up to change my account the salesmen can see my picture to verify it is me.

The term "identity theft" has always bothered me. It's a language choice that makes individuals feel like the parties responsible/victimized, when in actuality it's usually a company that gets tricked. In your case, the store was tricked into accepting an invalid ID. If companies were more careful with their authentication systems, consumers wouldn't have to worry about bearing the consequences (and blame) for something that's fundamentally not their fault. I'd prefer a term that conveyed fooling a company rather than victimizing a person, to make clear it's the company's fault, not the consumer's.

So there's also a weakness in the number porting system. If someone gets your SSN, they call into the mobile phone company and get your account number. Even with all the security in the world...your number gets ported to a new provider.

Just went through this today. All four of my numbers were fraudulently ported to Sprint. When I called my phone provider (minutes after the first number was ported) to report the issue, I was told there was nothing they could do to prevent them from being ported. So as the day went on, I watched all numbers on my account port away with no ability to stop them...even after reporting fraud to my carrier.

I find it astounding that there's no mechanism in place to prevent this type of fraud. My phone was tied to all my financial accounts and two factor systems. They have mechanisms in place to put locks on transfers like internet domain names...but not for mobile numbers? How is this even possible?

It seems like Identity Theft is popular because there are so many hurdles in place to protect your identity.

Similar thing happened to me, this week... It's a little different, so thought I'd make you aware of what happened, to point out other ways they take over your phone account... We can not figure out how this could have happened.... Someone logged into my Sprint account, online, and used the Chat feature to change my phone number to a phone that they had in their possession... They did NOT purchase new phones, but they did change my plan on both phones on the account, to a different plan and added international calling... We can't figure out how they could have logged into my Sprint account, as I use a password that I don't use anywhere else, and not something easily figured out... But once they were in my account, they had access to the PIN and the security question... Luckily, I got an email immediately, and saw it within 10 minutes, thanking me for activating my new device!!! Sprint shut down my account and I have created a new one... The concerning thing is, how they were able to log into my Sprint account, as I don't log into it anywhere else but on one computer...

OMG.... This happened to me on Cyber Monday! I received a text from Sprint saying "your email address has been updated on Sprint.com," however I didn't change my email address. I logged on to Sprint.com to check my email address and it was correct. The irony of all of this is...my plan was to update my children's phone to the iPhone 7 as a Christmas present. Therefore, I had been looking out for deals.... so when I checked my email address and it was correct... I almost dismissed the text. It wasn't until I went to see what cyber deals Sprint had that I noticed that one of my eligible phone lines on my account said "upgrade pending." I was immediately alerted by this and contacted Sprint. I was on hold for a very long time.... when I did get to the first rep... she told me that 3 iPhones were just ordered on my account... (I only had 2 eligible phone upgrades on my account so I don't know how they let that fly). Additionally, they added an alternate address for shipping. Now the part that is unsettling is... when I first called the phones were "in process," after being on hold and passed from department to department and 2-3 hours later.... the phones were shipped out!!!!!!!!! So many things went wrong on this day.... and the next day.... I literally was sick b/c of this!! Most of the Sprint reps that I talked to were nice however, some pushed it!!! I don't think that they ever factored in that I was planning to upgrade my children's phones as a Christmas present and at this point in time... I don't know if that will happen. Also, the next day... Sprint's fraud department mistakenly cancelled my children's lines (2 lines). I didn't know about this until I found out that my son needed me and his phone didn't work. I have since been in contact with someone from Sprint's Executive Office... so hopefully... I can get this resolved before Christmas. I am not scared of a lot of things... but to be honest... it's scary to know that someone has some of your information and is using it in a criminal manner.... it's the fear of the unknown. My blood pressure is elevated and I just feel stressed out about the entire situation. I also placed fraud alerts on my profiles. I hope this was an isolated incident and I was thinking that it was someone within Sprint b/c they knew the EXACT day that those 2 lines were eligible for upgrades... but after reading other people's experience... I'm not so sure... sounds like organized crime.

My Sprint account was somehow hacked into this early this morning. I contacted customer service as soon as I found out it happened. It appears to have been an online order that was an upgrade on two phones & to be delivered to a completely different state. I do not know how they hacked into my account. I was planning on upgrading one phone to an S7 as a Christmas gift & closing out the other being the contract is up on it. Now, in order to upgrade to the S7, Sprint is saying that I have to pay almost $1,000 to do so. No telling what they will tell me when I want to cancel the other line...This is frustrating!!!!

Is it possible for my neighbors who have knowledge of my cell# from stealing my last billing statement from the mail to access or download my text messages and pictures to their personal device or view them through my account online?Or for them to also monitor when I create a new email account or social media account. Is it also possible for them to use my disconnected cell phone number which they have to access aol and gmail accounts registered with the 2-factor verification feature. If any of these things are possible how do I go about reporting it to the authorities without sounding like a crazy individual or being goaded in to making a false police report? I have a strong suspicion that my gmail accounts which I no longer have access to have been used to gather passwords that I saved using my Google calender to access other accounts I have. Should I file a report based on suspision and verbal taunts or just change all my passwords and accounts and just let it go? What are options do I have?

Someone hijacked my AT&T online account and ordered iPhone 7 using my "upgrade" on December 27,2016 and it was shipped to TX. Although the fraud department put the phone on a "Blacklist", the thieves still received the phone and have started using it. They have also used a ton of data and I keep getting charged $15 per 1 GB added & within a couple of minutes, they add another GB and charge me for the data. No one AT&T believe that someone else is using my data and continue to tell me to upgrade my plan, although I have plenty of data coverage for my phones. This is a nightmare! They have changed my passwords so I can't log into my accounts or email accounts. I am still "on hold" to speak to someone in the fraud department at AT&T to find out where all of this data is being used and get all of these charges reversed.

Pages

Add new comment

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.